Symptoms
When using the installer to upgrade the VSX firewall, use theinstaller verify <number>command to verify the installation package and get the following error:
installer verify 1
Info: Initiating verify of Check_Point_R80.20_T101_Fresh_Install_and_Upgrade_Security_Gateway.tgz…
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Result: Verifier results Package: R80.20 Fresh Install and Upgrade for Security Gateway and Standalone Clean Install: Installation is allowed. Upgrade: Upgrade a VSX with Non-DMI configuration is not supported.
Cause
This VSX can’t upgrade since it’s Non-DMI configuration.
A VSX deployment can be managed using one of the following interface schemes:
- Dedicated Management Interface (DMI): Uses a separate interface that is restricted to management traffic, such as provisioning, logging and monitoring
- Non-Dedicated Management Interface: Uses a shared internal or external interface that also carries routine user traffic
Note: A non-DMI topology is where the VSX (VS number 0) doesn’t have a Dedicated Management Interface (DMI) through which it communicates with the management station without passing via other Virtual Devices - Virtual Router (VR) or Virtual Switch (VSW).
Note2: In a Non-DMI configuration, the default route of the “default” instance (the VSX, VS number 0) is via wrp0/vpp0c0 interface. The VSX is connected via the VR (routing instance “vs1”). When the problem occurs, the default route entry of “vs1” is empty.
Upgrade: Upgrade a VSX with Non-DMI configuration is not supported.
Solution
Option 1. Fresh install this VSX with new version.
Option 2. Rebuild this VSX and initialize it to DMI configuration.
To define a Virtual Device with a shared interface:
Select Create a Virtual Device.
Select the Virtual Network Device type (Virtual Router or Virtual Switch).
Select the shared physical interface to define a non-DMI gateway.
Do not select the management interface if you want to define a Dedicated Management Interface (DMI) gateway. If you do not define a shared Virtual Device, a DMI gateway is created by default.
Important - This setting cannot be changed after you complete the VSX Gateway Wizard. If you define a non-DMI gateway, you cannot change it to a DMI gateway later.
Define the IP address and Net Mask for a Virtual Router.
These options are not available for a Virtual Switch.
Optional: Define a Default Gateway for a Virtual Router (DMI only).
Selecting Virtual Systems Creation Templates
The Creation Templates page lets you provision predefined, default topology and routing definitions to Virtual Systems. This makes sure Virtual Systems are consistent and makes the definition process faster. You always have the option to override the default creation template when you create or change a Virtual System.
The default Creation Templates are:
Shared Interface: Virtual Systems share one external interface, but maintain separate internal interfaces.
Separate Interfaces: Virtual Systems use their own separate internal and external interfaces. This template creates a Dedicated Management Interface (DMI) by default.
If the default templates are not appropriate, you can create a custom configuration:
Custom Configuration: Define Virtual System, Virtual Router, Virtual Switch, and Interface configurations.